From 4179123ce04a50264de10e4466efb672b2ed4ca7 Mon Sep 17 00:00:00 2001
From: Albert Santoni <albert.santoni@sourcefabric.org>
Date: Fri, 20 Jun 2014 16:41:48 -0400
Subject: [PATCH] Set up CORS for microsite autologin after signup

---
 .../application/controllers/LoginController.php        | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php
index f5c6a01d0..0ddb17d2d 100644
--- a/airtime_mvc/application/controllers/LoginController.php
+++ b/airtime_mvc/application/controllers/LoginController.php
@@ -15,6 +15,16 @@ class LoginController extends Zend_Controller_Action
         
         $request = $this->getRequest();
         
+        //Allow AJAX requests from www.airtime.pro. We use this to automatically login users
+        //after they sign up from the microsite.
+        $response = $this->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
+        $origin = $request->getHeader('Origin');
+        if (($origin != "") && (!in_array($origin, array("http://www.airtime.pro", "https://www.airtime.pro"))))
+        {
+            //Don't allow CORS from other domains to prevent XSS.
+            throw new Zend_Controller_Action_Exception('Forbidden', 403);
+        }
+        
         Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
         if (Zend_Auth::getInstance()->hasIdentity())
         {